About Me

My photo
I am an MCSE in Data Management and Analytics, specializing in MS SQL Server, and an MCP in Azure. With over 19+ years of experience in the IT industry, I bring expertise in data management, Azure Cloud, Data Center Migration, Infrastructure Architecture planning, as well as Virtualization and automation. I have a deep passion for driving innovation through infrastructure automation, particularly using Terraform for efficient provisioning. If you're looking for guidance on automating your infrastructure or have questions about Azure, SQL Server, or cloud migration, feel free to reach out. I often write to capture my own experiences and insights for future reference, but I hope that sharing these experiences through my blog will help others on their journey as well. Thank you for reading!

Securing a Virtual Network with Azure Firewall


                            Securing a Virtual Network with Azure Firewall
Introduction
Securing a network’s perimeter is one of the most important aspects of a cloud engineer's role.
 This blog will demonstrate a common,
real-world experience regarding this task. Here what I will do is I will build  a network topology and then experience configuring and deploying Azure Firewall, 
before traversing it from the internet using a real-world scenario of network address translation.

we'll need to test the Azure Firewall configuration. To do so, use the Remote Desktop client (available from Microsoft for Windows clients natively and Mac clients here).




Solution
Log in to the Azure Portal

Create a Virtual Network 

Set the following values:
Name: SpokeVnet1
  Address space: 10.10.10.0/24
  Resource group: rakeshrg
  Location: NorthEurope
  Address range: 10.10.10.0/26
Click Create.
Create Network Security Group
  Navigate to All services > Network security groups.
  Click Create network security group.
  Set the following values:
  Name: "SpokeNSG1"
  Resource group: rakeshrg
  Location: NorthEurope
Click Create.
Once it's deployed, click the name of the NSG.
Click Subnets
Click Associate.
Click Virtual network and select our listed virtual network.
Click Subnet and select default.
Click OK.

Create a Virtual Machine

Click Virtual machines in the left-hand menu.
Click Create virtual machine, and set the following values:
Resource group: Select the one listed in the dropdown
Virtual machine name: Anything you'd like (e.g., "SpokeServer1")
Region: Select the one listed in the dropdown
Image: Windows Server 2019
Size: B2s Standard
Username: Anything
Password: X*****X
Click Next: Disks.
Leave settings as-is and click Next: Networking.
Set the Virtual network to the one we previously created.
Set Public IP to None.
Click Next: Management.
Set Boot Diagnostics to Off.
Click Next: Advanced > Next: Tags > Next: Review + create.
Click Create.
Create a Second Virtual Network and Azure Firewall

Navigate to Virtual networks in the left-hand menu and click Create virtual network.
Set the following values:
Name: HubVnet1
Address space: 10.10.200.0/24
 Resource group: rakeshrg

  Location: NorthEurope

 Address range: 10.10.200.0/26
  Firewall: Enabled
  Firewall name: Anything you'd like (e.g., "Firewall1")
Firewall subnet address space: 10.10.200.64/26
Click Create.
Peer the Virtual Networks Together and Create a Route Table


Click HubVnet1.
Click Peerings > Add.
Set the following values:
Name of the peering from HubVnet1 to remote virtual network: HubToSpokePeer
Virtual network: SpokeVnet1
Name of the peering from SpokeVnet1 to HubVnet1: SpokeToHubPeer
Enable every peering option except gateway transit.
Click OK.
Navigate to All services > Route tables.
Click Create route table, and set the following values:
Name: Anything you'd like (e.g., "DefaultRoute")
Resource group: Select the one listed in the dropdown
Location: The same location as before
Click Create.
Once it's deployed, click its name.
Click Routes > Add.
Set the following values:
Route name: Anything you'd like (e.g., "DefaultRoute1")
Address prefix: 0.0.0.0/0
Next hope type: Virtual appliance
Next hop address: 10.10.200.68
Click OK.
Click Subnets.
Click Associate.
Click Virtual network and select SpokeVnet1.
Click Subnet and select default.
Click OK.
Allow Remote Desktop Protocol Traffic through the Azure Firewall and the Network Security Group
Navigate to All services > Firewalls.
Click the firewall we created earlier.
Click Public IP Configuration, and copy and paste its listed public IP address into a text editor since we'll need it in a bit for configuration.
Click Rules.
Click Add NAT rule collection, and set the following values for the rule collection:
Name: Anything you'd like (e.g., "RDPForward")
Priority: Any number between 100 and 50000
In the Rules section, set the following values:
Name: Anything you'd like (e.g., "RDPtoSpoke")
Protocol: TCP and UDP
Source Addresses: Can be a wildcard (*) or your public IPv4 address (which you can get by querying Google)
Destination Addresses: The public IP address of the firewall we copied earlier
Destination Ports: 3389
Translated Address: 10.10.10.4
Translated Port: 3389
Click Add.
Navigate to All services > Network security groups.
Click the network security group we created earlier.
Click Inbound security rules.
Click Add, and set the following values:
Source: IP Addresses
Source IP addresses/CIDR ranges: 10.10.200.64/26
Source port ranges: *
Destination: IP Addresses
Destination IP addresses/CIDR ranges: 10.10.10.4
Destination port ranges: 3389
Name: Anything you'd like (e.g., "RDPtoSpoke")
Click Add.



Test Azure Firewall
Open RDP to connect to the public IP address of the Azure Firewall.
If it's working correctly, a standard Windows credential pop-up should be presented.
Provide the username and password of the virtual machine, and then click Continue.
Once connected, open an Internet Explorer window and browse to Google.com. The response should be similar to:-




Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)